Cyber-security: the new arms race – and how to profit from it

As featured in this month’s magazine.

2015 will go down as the year when cyber-security entered not just the mainstream media, but also board rooms and executive offices. Making sure that customer information and other sensitive data stays safe has become recognised as a subject that can take down CEOs and even entire companies. Ashley Madison, the adultery website that saw its 37m datasets about clients leaked to the public, was just one recent example of many. What was once regarded as a subject that was best delegated to the IT department is now a major growth area. Investors, too, have started paying attention to the growing number of opportunities in the field.

It’s quite possible that in a few years’ time, the cyber-security industry will talk about the time “before Ashley Madison” and “after Ashley Madison”. Whereas this is by no means the biggest case in point, it certainly was the most evocative case. With information on 37 million prospective adulterers, including their sexual preferences, with lots of celebrities and captains of industry involved, it’s hard to imagine a data leak that could have made for juicier media material.

The scope of the entire security problem of the IT industry is staggering. Cyber attacks in 2014 have claimed high profile victims such as JP Morgan, the White House, Yahoo, AT&T, eBay, Apple, UPS, and even Google. In the UK, a recent high profile victim was Talk Talk, the telecoms and internet service provider.

At times, it feels like there is a new attack every day, and on more than the odd occasion the size of the security breaches is nothing but mind-boggling. The JP Morgan cyber attack affected 76 million households in the US. To put that immense number into perspective, recent estimates indicate that fewer than 120 million households exist in the US.

Finally, the cyber-security industry is getting the attention it deserves – and it’s now officially one of the world’s fastest-growing sectors of the information technology business! Between 2015 and 2020, the size of the industry is projected to grow from $77bn to $170bn. That’s equivalent to a compound annual growth rate of 9.8%. The European market for cybersecurity is expected to grow to $35.5bn by 2019, equivalent to a compound annual growth rate of 7.2%. Europe accounts for 27% of the entire global market for cybersecurity, with further major markets in the US and Asia.

Within this industry are a number of sectors that are projected to grow even more quickly. Amazingly enough, so far hardly anyone has paid attention to insuring against the risks arising from insufficiently secure IT systems. Two years ago, the global market for insurance against computer security breaches amounted to just $1 billion, and most of that was focused on the US market. During the past 24 months, the market has grown 150% to $2.5 billion. Further growth is virtually a certainty, as insurance companies start offering products for this area. An entirely new set of terms is emerging, such as “cost-per-breach”.

The sheer scale of the problem is only now emerging. One of the peculiarities of cyber-security issues is that few companies actually report a breach when one has occurred. Companies are embarrassed and afraid of claims from customers whose data they lose to unauthorised third parties. Reported security breaches alone are estimated to cost private enterprise between $400 billion and $500 billion per year. The unreported cases could add 2-3 times as much to the bill. Cyber-criminals stole up to $1 billion from approximately 100 financial institutions in the US, Germany, Russia, Ukraine, and China over a two-year period, according to researchers from security firm Kaspersky Lab.

Hacking into computer systems is now a global industry, with computer experts hiring themselves out to corporations, governments and other clients to illegally break into computer systems of competitors and other nations. The US government alone has spent $100 billion on computer security since 2000 and is currently running a yearly budget of $15 billion dedicated to cyber-security. Between 2000 and 2015, the yearly budget the US federal government spends on cyber-security increased 14-fold. Pretty much everywhere else in the world, government budgets for cyber-security are rising at comparable speeds.

The ever-increasing number of computer devices on the planet is adding another level of complication to the subject. Cars are now so dependent on computer chips that they, too, have become the target of hacker attacks. Add to this the billions of mobile devices such as phones and tablets, as well as the increasing number of devices used to operate homes and households, and you get a feel for how many potential gateways there are for unsavoury characters breaking into computer systems and stealing or manipulating data.

The industry is already struggling with a shortage of labour. In the US alone, more than 200,000 positions related to cyber-security are unfilled because there are simply not enough qualified professionals available. It is estimated that at the current rate there’ll be a shortage of 1.5 million cyber-security professionals around the planet by 2020. Obviously, an increase in salaries could lead to a run on universities and other institutions that offer training for this area. A recent Rand Corporation study estimated there are around 1,000 top-level cybersecurity experts globally vs. a need for 10,000 to 30,000.

Experts in the field point out that the market is now simply catching up with standards that should have been adopted many years ago but were simply ignored. The industry is now in catch-up mode, driven by the desire of decision-makers in companies and government authorities to secure their personal career against any Ashley Madison-style occurrences. Ashley Madison’s CEO, after all, lost his job following the data breach. His spectacular downfall, involving the cancellation of a planned $200 million IPO, will remain on other managers’ minds for many years to come.

The growth of the Internet and the every-day use of electronic devices have created a huge opportunity for companies that offer cyber-security solutions and related services and products. In retrospect, it’s baffling that it should take so long to see increased awareness that the benefits the information technology industry has brought to everyday life aren’t entirely risk free. A recent poll in the US stated that Americans now worry about falling victim to cyber crime more than any other type of crime. Clearly, the public has now caught on.

With those risks finally firmly on the radar screen, it’s a near-certainty that new multi-billion dollar companies will emerge – some of which could make early investors rich in the process. For investors looking to gain a slice of the action, the companies covered in this article are a good place to start your research.

UK large- and mid-cap stocks with exposure

Although defence giant BAE Systems (LSE:BA.) is better known for its ships, planes and tanks, it is now a major cyber security player in its own right. In recent decades BAE has undergone a transformation that has seen it refocus its offering away from hardware and toward services, which now account for roughly half of group turnover. As a major element of this transformation, between 2008 and 2011 BAE acquired five cyber security firms, including the £531 million purchase of UK market leader Detica. Renamed BAE Systems Applied Intelligence, this unit now heads up the firm’s cyber portfolio.

With sales growth in conventional armaments muted due to the budget restraints of major customers, the move into the cyber security sector has proved to be a useful source of growth to offset a more lacklustre performance elsewhere in the business. Overall, mid-single digit sales growth is expected in the cyber division in 2015 with strong sales growth of around 30% planned in Applied Intelligence offsetting marginally lower sales in Intelligence & Security. BAE offers exposure to the sector via a diversified portfolio of defence assets, which also comes with strong income attractions. The prospective FY16 dividend yield of 4.8% is almost twice covered by prospective earnings estimates, and the firm appears conservatively geared with net debt of just over 1x EBITDA.

Another firm to look out for is QinetiQ (LSE:QQ.), whose expertise in this area permeates its offering and proliferates its image as HM Government’s ‘go to’ tech specialist. QinetiQ’s cyber intelligence business, Cyveillance, recently launched a cloud-based cyber threat centre that monitors the internet, provides alerts and delivers data on domain names, IP addresses, phishing and malware attacks. This provides direct access for customers to its monitoring and investigative tools and complements its existing consultancy-based services. We also like QinetiQ for its exposure to a raft of growth markets, such as robotics, unmanned aircraft and the space industry, not to mention its net cash pile of £195.5 million (as as 31^st March 2015) and relatively modest valuation.

Meanwhile, Ultra Electronics (LSE:ULE) generates a quarter of its revenues from its Security & Cyber division where it notes that “budgets are increasing, particularly in nations that face terrorism, border control issues, internal threats and IT infrastructure dependencies.” Ultra, which draws just over half of its revenues from the defence sector, has expertise in a number of specialist areas which are often seen as ‘mission critical’ and where its technology is market leading. The shares don’t look particularly expensive on c.15x prospective earnings, but activity levels remain subdued, with a book to bill ratio of 0.93x for the six months to June 2015.

Cyber Insurance

A less obvious way to gain exposure to the growth in the cyber security market is via the insurance companies that insure against losses incurred through cyber crime. Surprisingly, only a limited number of companies outside the US are buying cyber insurance; but the trend is nevertheless clear and inexorable. In particular, the US and UK governments are keen to insure that companies do more to safeguard themselves and their customers in this regard, and legislation is slowly making its way through in both jurisdictions, not to mention the EU, which should help steer things in the right direction. Cyber cover is set to be a major growth area of the insurance industry according to an Insurance Institute poll, which saw 80% of respondents concur with that statement.

According to broker Westhouse, Beazley (LSE:BEZ) is currently the clear UK market leader and enjoys early mover advantage in this area via its Beazley Breach Response product. The other two companies to look out for are fellow Lloyds insurers Novae (LSE:NVA) and Hiscox (LSE:HSX). Global cyber premiums are estimated to have reached $2.4 billion (£1.6 billion) in 2014, up from US$1.3 billion (£850 million) in 2013 (source: ITProPortal, February 2015). To put this into context, total non-life premiums in the advanced economies were $1.65 trillion in 2013. Given that cyber increasingly permeates most aspects of our daily lives, it is only rational to assume that cyber insurance premiums will continue to grow strongly in both absolute and relative terms for the foreseeable future.

UK pure-play cyber stocks

With a market cap of almost £1.2 billion, Sophos (LSE:SOPH) is the UK’s largest listed pure-play cyber security company. The Oxfordshire based company made its stock market debut in July and is still majority owned by private equity group Apax Partners, who offered 35% of Sophos stock in the IPO in order to reduce debt. The firm sells its software, which protects against hackers and cyber attacks, to mid-sized corporate, which account for around three quarters of the IT security market and are generally seen to be less prepared than larger companies to cope with the cyber threat. Revenues have been growing rapidly and the firm managed to turn a $22.2 million operating profit in the year to March. The upfront subscription-based business model makes Sophos highly cash generative, with cash generation well above the equivalent EBITDA figure for the year to March.

Meanwhile, NCC (LSE:NCC) (which stands for National Computing Centre) pinpoints and eradicates security flaws in applications using penetration testing, reverse engineering and code reviews, while providing assurance over security and vulnerabilities for all information held, software and applications used, as well as the web environments. It also works to plan for and manage the impact of a potential hack and a rapid response forensic team. With its talents in high demand among many high profile organisations, NCC Group is fast becoming a truly international business, with operations in four continents and associated benefits of scale. In particular, its Total Assurance offering, which provides organisations with peace of mind that their most important assets are protected and operating as they should be at all times, is considered to be unrivalled within the industry.

Of particular note for the future is the firm’s investment in .trust, a generic top level domain (gTLD) which aims to create a universal environment for end users to operate and navigate the internet with complete safety and security. The group established a new wholly owned subsidiary, Artemis Internet Inc. in San Francisco, to develop the critical infrastructure and know-how to deliver this project. While Domain Services is expected to generate revenues in the current financial year (to 31 May 2016), the division is still expected to report a modest loss this year as the Group continues to roll-out and invest in its new capabilities. However, it is expected that the division will make a positive contribution in the financial year to May 2017 as all the service lines start to contribute fully. The ultimate goal is to offer a unique and secure gated community for companies to offer improved security enabling their end users and customers to interact with them safely and securely over the Internet.

Growth in both revenue and profitability has been fairly consistent over the years, and the most recent trading update flagged organic revenue growth of 17%, an improvement on the 14% seen in the previous half. Management are confident that they remain on course “to sustain our double digit organic growth and strong cash generation” and expect to meet expectations for the current financial year.  And with over 50% of the Group’s revenues now outside the UK – with the majority in North America – the firm’s ascent will not have gone unnoticed in the industry. We believe NCC will become a takeover target before long (if it isn’t already), although the strong performance in recent years now means the shares are trading on c.23x current year’s earnings forecasts.

Finally, GB Group (LSE:GBG) specialises in identity management, primarily generating revenues from software that helps consumer-facing businesses identify their customers. The firm is particularly exposed to the growth of online commerce via its ID verification business as the reliable identification of remote users becomes ever more important to business. In the UK there are significant opportunities for growth as automated processes replace manual checks. Meanwhile, although a relatively small amount of revenues are derived from overseas at present, international expansion is seen as a major avenue for growth in the coming years. The group has access to multiple data sets, many of which are exclusive to GB and are major competitive barriers to entry. The shares have clear strategic value, but currently trade on a P/E ratio in the mid-30s reflecting the firm’s strong and consistent growth record.

US Stocks

Readers may well be familiar with Symantec Corp. (NASDAQ:SYMC) through its Norton Antivirus product. At first glance, Symantec might not seem the most exciting cyber security play, as recent sales and profit growth figures have been lacklustre. This is partly down to the fact that the large corporate that constitute Symantec’s main client base have built up their own in-house security departments which has led to reduced demand for Symantec’s products and services. That said, the firm is a strong cash generator and pays a decent dividend. The real interest for us, though, comes in the form of an imminent spin-off of the firm’s data management business Veritas, which is expected to complete in January 2016. This will enable the group to focus on its core security offering and could eventually spark a re-rating, making the shares a potentially interesting recovery play.

For a more straightforward growth play investors might want to take a look at Israeli firm Check Point Software Technologies Ltd. (NASDAQ:CHKP). The $14 billion market cap specialises in firewalls and has an estimated 15% share of the network security market. The firm’s sought after capabilities are underlined by its operating margins of almost 60% and a forward P/E of around 19x. There is also plenty of cash available on the balance sheet for potential acquisitions and buybacks.

Meanwhile, those with an eye to a more speculative investment could check out FireEye Inc. (NASDAQ:FEYE), which has carved out a niche for itself in a market it helped to create. Unlike more traditional antivirus solutions, FireEye’s software tracks potentially malicious software on its network of virtual machines in real time. This allows it to identify what are referred to as “zero-day exploits” – exploits that IT staff have literally ‘zero’ days to identify and address. Revenue growth has been rapid, but the shares seem to have gotten ahead of themselves and have more than halved in recent years as investors have taken fright at the lack of profitability and the fact that the company is still burning through cash.